OWASP EU Summit in Portugal: Tuesday

[Running a little behind, as usual.  Over the course of today I’ll be putting up a series of posts to finish out my OWASP EU Summit notes.]

First of all, my favorite part of Tuesday was that I won a t-shirt at the Sensepost training class on offensive web application hacking.  H4x0r skillz!

IMG_0130

In addition to that, Tuesday was a really productive day.  I had the opportunity to attend a number of sessions where folks presented their Summer of Code projects and OWASP projects in general:

  • Jason Li – JSP Testing Tool – This tools tests JSP tag libraries to determine which attributes are properly escaped when they are written out to the HTML stream.  It does this by generating a large number of JSP/HTML examples with various payloads placed into the tags’ attributes.  When the page renders, unescaped payloads change colors of parts of the DOM so you can see which attributes are “dangerous”  This is a very cool approach and it would be interesting to see how it applied to ASP.NET web controls as well.
  • Paolo Perego – Orizon – Orizon is a framework for code analysis that can apply various rules to look for security defects.  It currently supports Java and there are plans to make it support .NET.  Source code files are broken down into a number of XML representations and then those XML representations are run through a rules engine to identify potential security issues.
  • Alex Smolen – ESAPI.NET – This is the .NET version of the ESAPI.  Currently it is basically a word-for-word port of the Java ESAPI into C#, but the plan is to update the .NET version to accomodate existing security capabilities of the .NET platform such as the Membership API and the AntiXSS library.

I also had an opportunity to attend a number of working groups:

The energy and enthusiasm at this event was incredible.  As you’ll see from the following posts we covered a lot of ground during the week and a lot got accomplished.

–Dan
dan _at_ denimgroup.com

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Leave a Reply

Your email address will not be published. Required fields are marked *